Difference between revisions of "Upgrading to Centos 7"
Line 89: | Line 89: | ||
cd /etc/openldap | cd /etc/openldap | ||
rsync -ravHAX 10.0.0.252:/etc/openldap/cacerts . | rsync -ravHAX 10.0.0.252:/etc/openldap/cacerts . | ||
+ | cd /etc/sssd | ||
scp 10.0.0.252:/etc/sssd/sssd.conf . | scp 10.0.0.252:/etc/sssd/sssd.conf . | ||
Line 94: | Line 95: | ||
systemctl enable sssd | systemctl enable sssd | ||
systemctl start sssd | systemctl start sssd | ||
+ | |||
+ | Test: | ||
+ | getent passwd | ||
= Get Automount working = | = Get Automount working = |
Revision as of 21:47, 3 January 2018
Turn Off SELINUX
It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"
FIX THE @#$%%(!!! (idiots) DEFAULT FOR PERSISTENT LOG FILES
mkdir /var/log/journal
systemd-tmpfiles --create --prefix /var/log/journal
systemctl restart systemd-journald
Turn off "firewalld" and just use iptables
Again, firewalld is trying to be too sophisticated and is too obscure. Turn it off:
systemctl stop firewalld systemctl disable firewalld systemctl mask firewalld
Install the standard iptables in /etc/sysconfig and run iptables.
yum install iptables-services systemctl enable iptables
Make sure the correct tables are installed in /etc/sysconfig/iptables
Setup Fail2Ban
- See Fail2ban
Networking
New feature makes sure the ethernet devices have a consistent name. See RedHat:
The trick is to add a line(s) to /etc/udev/rules.d/70-persistent-ipoib.rules like:
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm" SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"
This works well and helps with using the system. You can also set the HWADDR in the network-scripts. This will then pick up the name from the script. Example from Pepper:
TYPE=Ethernet NAME=farm HWADDR=52:54:00:85:bf:0e DEVICE=farm ONBOOT=yes IPADDR=10.0.0.245 PREFIX=24 GATEWAY=100.0.0.100 DNS2=10.0.0.245 DNS2=10.0.0.253 DOMAIN=farm.physics.unh.edu BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_PRIVACY=no NM_CONTROLLED=no
You probably want to turn off the NetworkManager completely: See this
systemctl stop NetworkManager systemctl disable NetworkManager systemctl mask NetworkManager systemctl enable network systemctl restart network
Fixup the hostname:
hostnamectl set-hostname "Your-Hostname"
Get LDAP login to work
You need to install the openldap and openldap-clients, and sssd-ldap:
yum install openldap openldap-clients sssd-ldap nss-pam-ldapd
Create and populate /etc/openldap/cacerts (copy from gourd), and create the /etc/sssd/sssd.conf file (copy from grourd)
AUTHORIZE
authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir \ --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
Get Certificates and config file (from Gourd):
cd /etc/openldap rsync -ravHAX 10.0.0.252:/etc/openldap/cacerts . cd /etc/sssd scp 10.0.0.252:/etc/sssd/sssd.conf .
Enable and start the sssd service, or restart the service:
systemctl enable sssd systemctl start sssd
Test:
getent passwd
Get Automount working
Install autofs and also install nfs:
yum install autofs nfs-utils
Enable and Startup the NFS subsystem:
systemctl enable rpcbind systemctl enable nfs-server
systemctl start rpcbind systemctl start nfs-server systemctl start rpc-statd systemctl start nfs-idmapd
Install /etc/auto.master and /etc/auto.net
Create mount point:
mkdir /net systemctl enable autofs systemctl start autofs
Disks
If there is a data drive, mount it. Edit /etc/fstab and add "LABEL=data /data ext4 defaults 1 2" Export the drive.
echo "/data 10.0.0.0/24(rw,no_root_squash,async,no_subtree_check)" >> /etc/exports exportfs -a -v
SUDO
Fix the sudoers file.
- UNKOWN ISSUE WITH SUDO and auth -- FIX ME
IPTables
Fail2Ban
Gourd
Initial
- Gourd would not boot from a USB stick. It seems the HW doesn't support this, though it is also possible the fault is with the front USB port. Boot from installer DVD.
- Standard server install
- No ethernet driver: nForce ethernet "forcedeth" not available, use the kmod-forcedeth driver from elrepo.org: http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/kmod-forcedeth-0.64-1.el7.elrepo.x86_64.rpm
- Note that Centos 7 (i.e. RHEL 7) comes standard with "firewalld". Not wanting to bother with "yet another config system for firewalls (tm)", this was disabled in favor of good old iptables, which is the underlaying system anyway. This policy may change int he future. (To disable firewalld: "systemctl stop firewalld ; systemctl mask firewalld'. To setup iptables: "yum install iptables-services; systemctl enable iptables", and then of course, configure the tables.)
- Network interfaces are now renamed to a "consistent scheme" see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html
- FARM network = enp0s8 = farm UNH network=enp0s9 = unh
- Setting up bridge networking took a bit. The complication was that I just used "ifup" and "ifdown", and did not use "systemctl restart network".
- Setting up sssd: The ldap authentication did not work when using TLS, because the MD5 encrypted certificate is no longer accepted. We need new certificates! For now, connect with ldap: instead of ldaps:
- That does not appear to work for automount. Darn it!
- Copied more sane iptable rules from endavour, including blacklist.
Continued
- Copy the old ssh keys from backup to Gourd. Unfortunately, the keys in /root are not backed up. I grabbed the ones from endeavour.
- Setup proper (not MD5 encrypted) TLS certificates on Einstein, then get ldaps to work properly.
- Fix the NFS mounting issues. When mount nfsvers=4, the username and group do not get passed properly and everything is "nobody". Fix this by forcing automount to mount everything nfsvers=3 in the auto.net file